Javascript - Sandbox

Greetings to all,

I’m using my own javascript (windows scripting) to light manipulation of my php files - frequently. This script is running repeatedly by windows batch. All works fine, but Sandbox always popups to isolate my script - as many times as script is running - this is very unconfortable, in spite of script is in trusted files in Defence+ (comp rebooted). Pending files - empty, Blocked files - empty. Defence+ running as CleanPC.

Sorry, I’m village idiot only, I’m not able adding myself as trusted vendor ;D.

Is any way out?


Interesting, are the files being modified after being made safe files?

Are they being compiled?

Are you running the files using the Windows task scheduler?

Could you paste your D+ logs please so we can see what exactly is being sandboxed?

Please also submit the information requested under ‘how to submit bug reports’ in the stickies.

Best wishes


Hey Gaga, Try making your compiler a trusted program through Comodo.

Yes, there is something weird, script is normal clean ascii (for Windows Scripting Host - running thru system wscript.exe), not modified (last year ;), not compiled (there’s no need nor try)

D+ :
2010-06-03 08:56:25 C:\upload!uncom.js Sandboxed As Limited
… more, more same lines…

Config changes:
2010-06-03 08:56:31 String Added User Defense+ Own Safe File C:\upload!uncom.js

2010-06-03 08:56:24 Sandbox Alert !uncom.js 2010-06-03 08:56:31 Run outside Sandbox

  1. AMD 64 X2
  2. windows7 x32
  3. only Comodo
  4. running windows batch file, that in ‘for’ cycle 7 times (for example) calls host script, this one open php file, modify it and save it
  5. trying to add batch and script into my own safe files, trying to ignore D+ popup, trying to check Do not run in Sandbox, trying to change filenames (any thinkable attepmt) - no positive result

This worrying me only from Comodo 4 version, previously version works fine to me


If possible please mark all those applications through CIS\defense+ as trusted. Do you get an alert of those programs sand-boxing? (you should!) select ‘don’t run in sandbox’ If your still getting troubles, maybe it is a good idea to disable the sandbox while you wait for a fix.

Hmm, I didn’t find the way to mark script file as trusted…
Kyle: point 5 in my previous post… did you see?

Problem is only popup, everything works ok, D+ doesn’t block my script anyway

My guess is that the you are getting repeated alerts because the file is being modified. D+ may be saying that is a different file, because it could be!

To get round this you need to confer inheritable rights on a file that is running this file. You do this by making the calling file an installer/updater in the computer security policy.

So all you need to do is work out which file is calling this file and hope it is not explorer.exe - its dangerous to make explorer.exe and installer/updater, and it is very likely to run unknown files which may be malware. You probably know which file this is already. If not I can help you find out. Basically you use Microsoft process explorer (just Google it!) to observe what is happening.

Best wishes


OK, after deeper testing:
when I run jscript from cmd line alone - no popup. But, if I run same command from batch file D+ popups.
I suppose D+ hate batch running jscript, because my testing jscript include: var a = 1; nothing else :wink:

So, this case is curiosity, I’ll try overcome my loafing to write all I need into one jscript file.

Alternatively just define the batch file as an installer/updater in the computer security policy. Does the jscript file get changed on each run (or each time it gets sandboxed)? (Both file modified date and contents is important).

Modified files should be sandboxed, so I need to know this to know if this is a bug or not!

Best wishes


just simple test - create two files (only one line each):

  1. test.bat:

  2. test.js:
    WScript.Echo(‘hello world!’);

now run test.bat and D+ will popup as I wrote before…

happy bug hunting :wink:

posted here;msg398321

And also argued here with no positive outcome;msg400888#msg400888

qaqa… as you have just pointed out… you, myself and sharon… Running raw code won’t generate defense + alerts…

Feature or bug? Hmm thats question. But D+ popup will misunderstand user, whatever you do with popup,
script will work normally. I thought that sandbox can virtualize script, that will not work in result ???

I found the (personal) way out: excluding batch file, I’m using jscript only :stuck_out_tongue:

best regs

Yeh the sandboxing of the scripts would work great :slight_smile:

I have done so and can replicate a sandbox alert for test.bat running test.js, but not test.js run directly.

Making test.bat an installer/updater suppresses this alert, and CIS seems to remember this suppression until reboot. (Presumably not intended behaviour as the file does not remain in memory, I have checked). So that’s more than one issue or bug!

I am just about to try making it a safe file and rebooting

Best wishes


OK have done that. No s/b alert for test.bat when it is a safe file.

You can increase security slightly by adding .js extension to the executable files group. Then you get an alert for test.js when run from test.bat if test.bat is made a safe file.

But you still don’t get alert if executed from explorer.exe.

This may have something to do with the fact that .js files are executed using a file association which opens windows scripting host with the file name as a parameter, like this: “C:\WINDOWS\System32\WScript.exe” “C:\Documents and Settings\Michael\My Documents\test.js”. So the OS in a sense sees the .js file as a datafile.

Please add the system details indicated here.

Best wishes


Please add the details indicated here.

Best wishes


I wonder if you could tell me if script is now being sandboxed on your machines in Seems to be on my machine.

I also now have a sandbox alert this time for the script file that I cannot supress even if the script and batch file are safe.

Many thanks